Select Authentication Protocols
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
- Windows Server 2003 IAS can perform authentication on behalf of any access server that is configured as a RADIUS client. You can use one of a number of protocols to authenticate dial-up, VPN, wireless, and authenticating switch users before allowing them access to the network.
Before you deploy IAS, determine which authentication protocols you will use to authenticate remote access clients. Use the most secure protocols that your network access servers and clients can support. If you need a high degree of security, you can configure IAS to accept only a few very secure authentication protocols. Alternatively, if your organization requires more flexibility, you can configure IAS to accept less secure authentication protocols when attempts to use more secure authentication protocols are unsuccessful.
Table 7.2 lists the authentication protocols that IAS supports and summarizes the conditions for which each protocol is used and the requirements for each protocol.
Table 7.2 Authentication Protocols That IAS Supports
| Protocol | Type of Authentication | Protocol Characteristics | Protocol Requirements |
|---|---|---|---|
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) |
Certificate-based |
Works for dial-up, VPN, wireless access, and authenticating switch access. Provides authentication by means of a registry-based user certificate or a smart card. Provides mutual authentication. Generates cryptographic keys, which are needed for wireless LAN connections and for dial-up and VPN connections that use Microsoft Point-to-Point Encryption (MPPE). Enables uninterrupted transfer between wireless access points (user does not need to re-enter credentials when moving between access points). Enables unauthenticated access for visitors. |
IAS must be a member of a Windows 2000 or Windows Server 2003 domain. Both client and server must support this protocol. The IAS server must have a certificate installed in the certificate store. The certificate must contain the Server Authentication purpose in EKU extensions. The certificate must meet all other certificate requirements. The client computer or user certificate must contain the Client Authentication purpose in EKU extensions. The certificate must meet all other certificate requirements. The certificate can be installed in the client computer certificate store or on a smart card. |
Protected Extensible Authentication Protocol (PEAP) |
Certificate and password-based (depending upon the selected authentication method) |
Currently for 802.1X wireless and authenticating switch clients only. PEAP does not specify an authentication method, but provides a secure "wrapper" for other EAP authentication protocols, such as EAP-MS-CHAPv2, that operate within the outer TLS-encrypted channel provided by PEAP. Enables uninterrupted transfer between wireless access points (user does not need to re-enter credentials when moving between access points). Does not allow unauthenticated access for visitors. |
Both client and server must support this protocol. The IAS server must have a certificate installed in the certificate store. The certificate must contain the Server Authentication purpose in EKU extensions. The certificate must meet all other certificate requirements. |
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) |
Password-based |
Provides mutual authentication. Generates cryptographic keys, which are needed for dial-up and VPN connections that use MPPE. Enables you to change passwords. Works for dial-up and VPN access. |
Both client and server must support this protocol. |
EAP-MSCHAPv2 |
Password-based |
Provides mutual authentication. Generates cryptographic keys, which are needed for dial-up and VPN connections that use MPPE. Enables you to change passwords. |
IAS must be a member of a Windows 2000 or Windows Server 2003 domain. Both client and server must support this protocol. |
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) |
Password-based |
Provides encrypted authentication for Microsoft® Windows® 98, Microsoft® Windows® Millennium Edition operating system, or Microsoft Windows NT 4.0 (with the latest dial-up networking upgrade). Generates cryptographic keys, which are needed for dial-up and VPN connections that use Microsoft Point-to-Point Encryption (MPPE). Enables you to change passwords. |
Both client and server must support this protocol. |
Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) |
Password-based |
Provides less security than EAP-TLS. Does not generate cryptographic keys. Works for dial-up and authenticating switch–based access, but not wireless or PPTP-based VPN access. |
Requires a reversibly encrypted password to be stored in the account database (local Security Accounts Manager (SAM) or domain). IAS can be a member of a Windows NT 4.0 domain, a Windows 2000 domain, or a Windows Server 2003 domain. Both client and server must support this protocol. |
Challenge Handshake Authentication Protocol (CHAP) |
Password-based |
Provides encrypted authentication for a combination of different operating systems, such as Macintosh or UNIX operating systems. Does not generate cryptographic keying material. |
Requires a reversibly encrypted password to be stored in the account database (local SAM or domain). Both client and server must support this protocol and reversibly encrypted passwords. |
Password Authentication Protocol (PAP) |
Password-based |
Provides unencrypted authentication. Use only if clients do not support other protocols. Does not generate cryptographic keying material. |
Both client and server must support this protocol. |
Unauthenticated Access |
|
Grants access when the remote access client does not supply authentication credentials. Does not generate cryptographic keying material. |
Both client and server must support this protocol. |
Before the IAS server can access Active Directory–based domains to authenticate user credentials and user access account properties, the IAS server must be registered in those domains.